mkarchiso: open the ARCHISO_GNUPG_FD, ARCHISO_TLS_FD and ARCHISO_TLSCA_FD file descriptors only for reading

Nothing should ever be written to these files, so let's make sure it cannot happen.
2022-11-26 20:00:40 +02:00 · 2022-11-26 20:00:40 +02:00 · 2c3420204e
commit 2c3420204e
parent d31f38843a
2 changed files with 5 additions and 3 deletions
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@ -13,6 +13,8 @@ Changed
 -------

 - Check if the GPG public key file was successfully placed in the work directory before trying to use it.
+- Open the file descriptors for code signing certificates and GPG public key as read only. Nothing from the within the
+  ``pacstrap`` invoked chroot should ever be allowed to write outside of it.

 Removed
 -------
--- a/archiso/mkarchiso
+++ b/archiso/mkarchiso
@ -336,15 +336,15 @@ _make_packages() {
    _msg_info "Installing packages to '${pacstrap_dir}/'..."

    if [[ -v gpg_publickey ]]; then
-        exec {ARCHISO_GNUPG_FD}<>"$gpg_publickey"
+        exec {ARCHISO_GNUPG_FD}<"$gpg_publickey"
        export ARCHISO_GNUPG_FD
    fi
    if [[ -v cert_list[0] ]]; then
-        exec {ARCHISO_TLS_FD}<>"${cert_list[0]}"
+        exec {ARCHISO_TLS_FD}<"${cert_list[0]}"
        export ARCHISO_TLS_FD
    fi
    if [[ -v cert_list[2] ]]; then
-        exec {ARCHISO_TLSCA_FD}<>"${cert_list[2]}"
+        exec {ARCHISO_TLSCA_FD}<"${cert_list[2]}"
        export ARCHISO_TLSCA_FD
    fi